Cleartext Credential Exposure in Dropbox Desktop Application
CVE-2019-12171

7.8HIGH

Key Information:

Vendor

Dropbox

Status
Dropbox
Vendor
CVE Published:
8 July 2019

What is CVE-2019-12171?

The Dropbox desktop application version 71.4.108.0 contains a vulnerability where cleartext credentials are stored in memory after user login or account creation. This sensitive information is inadequately handled, leading to potential unauthorized access. The issue arises in Dropbox.exe and the Web Helper component, QtWebEngineProcess.exe, where critical user data remains exposed throughout the application's lifecycle. This flaw highlights the importance of secure memory management to prevent data leaks.

References

https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTs...
x_refsource_MISC
https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgI...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.